b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  Standard Database Security Configurations\n                    Are Adequate, Although Much Work Is\n                   Needed to Ensure Proper Implementation\n\n\n\n                                         August 22, 2007\n\n                              Reference Number: 2007-20-129\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 2(f) = Risk Circumvention of Agency Regulation or Statute\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           August 22, 2007\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Standard Database Security Configurations Are\n                             Adequate, Although Much Work Is Needed to Ensure Proper\n                             Implementation (Audit # 200620033)\n\n This report presents the results of our review of the adequacy of the Internal Revenue Service\xe2\x80\x99s\n (IRS) standard database security configurations and effectiveness of their implementation. This\n audit is part of the statutory audit coverage under the Information Systems Programs and is\n included in the Treasury Inspector General for Tax Administration Fiscal Year 2007 Annual\n Audit Plan.\n\n Impact on the Taxpayer\n Database security controls are an organization\xe2\x80\x99s last line of defense in protecting sensitive data.\n While the IRS\xe2\x80\x99 standard database security configurations are adequate, they are not effectively\n implemented on critical databases. Failure to adequately secure these databases places nearly all\n individual and business taxpayer accounts at risk of unauthorized access, which can lead to\n identity theft or fraud.\n\n Synopsis\n IRS databases contain some of the most sensitive information in the Federal\n Government\xe2\x80\x93taxpayer personal and financial information. While security of any computer\n system is dependent on the number and strength of the layers of security protecting it, the last\n and possibly best line of defense in protecting data are database security controls.\n\x0c                   Standard Database Security Configurations Are Adequate,\n               Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\nThe IRS has developed adequate standard database security configurations that are aligned with\nFederal Government guidelines and best practices. However, these standard configurations have\nnot been effectively implemented. We tested basic database security controls on 17 databases\nfrom 8 tax administration applications. Collectively, these databases failed 30 percent of our\ntests. Using the IRS\xe2\x80\x99 rating methodology for standards compliance, all databases we reviewed\nearned the lowest possible rating. Exploitation of the vulnerabilities found could result in\nunauthorized accesses to taxpayer information and ultimately result in identity theft or fraud.\nThe control weaknesses occurred because standard database security configurations were poorly\ncommunicated, security roles and responsibilities were not assigned or carried out, and tests to\ndetect noncompliance with standard configurations were inadequate.\nMany of the employees supporting the applications we reviewed were unaware of the IRS\xe2\x80\x99\nstandard database security configurations. In fact, some employees first became aware the\nconfigurations existed during interviews conducted during this audit. Several factors contributed\nto the poor communication of the standard configurations, including problems with the\nannouncements of the issuance of the configurations and posting of an outdated version of the\nconfigurations on an internal IRS web site.\nAlso, the roles and responsibilities for securing databases have not been fulfilled. Key security\nresponsibilities, such as ensuring standard database security configurations are implemented,\nhave not been assigned. Managers and employees with responsibility for securing the\napplications have not taken their security responsibilities seriously and managers are not holding\nemployees accountable for failing to implement database security controls. Their approach to\nsecurity appears to be reactive, waiting for others to point out security actions that need to be\ntaken. However, security requires a proactive approach. If such an approach had been taken,\nmanagers and employees would have sought out the configurations instead of waiting for them to\nbe delivered to their desktops.\nWe also found inadequate processes for detecting noncompliance with standard database security\nconfigurations, although progress is being made. The Mission Assurance and Security Services\norganization is responsible for assessing the security of computer systems and tracking\ncompliance with IRS standard configurations. Security testing in 2006 for two of the\napplications we reviewed did not include tests of database controls. The Mission Assurance and\nSecurity Services organization did revise its security testing and evaluation methodology for the\n2007 testing cycle, which now includes more testing of database controls. In addition, the IRS\ncurrently does not have tools to test compliance with standard database security configurations.\nEfforts are underway to conduct more testing, but the IRS has not developed a project plan or\nprocedures to aid in managing this effort. In July 2007, the information technology security\nprogram within the Mission Assurance and Security Services organization was realigned to a\nnew Cybersecurity organization, reporting to the IRS Chief Information Officer.\n\n\n                                                                                                   2\n\x0c                   Standard Database Security Configurations Are Adequate,\n               Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n\nRecommendations\nWe recommended the Chief Information Officer ensure the database security control weaknesses\nwe identified are corrected, re-publicize standard database security configurations, and ensure\nthe Modernization and Information Technology Services organization\xe2\x80\x99s internal web sites refer\nto the appropriate web site for current security configurations. In addition, we recommended the\nChief Information Officer ensure security and administration responsibilities are properly\nassigned for all IRS databases and investigate alternatives for ensuring employees are aware of\ntheir database security responsibilities, with managers holding their employees accountable for\nmeeting those responsibilities. We also recommended the Chief Information Officer ensure\nsecurity testing evaluates compliance with standard database security configurations and develop\nan implementation plan and standard operating procedures for the IRS\xe2\x80\x99 database compliance\nassessment tool.\n\nResponse\nThe Chief Information Officer agreed with all of our recommendations. Planned corrective\nactions include adding specific weaknesses identified in this review to corrective plans of actions\nand milestones. The IRS\xe2\x80\x99 standard database security configurations will also be\nre-communicated throughout the agency. A memorandum will be distributed within the\nModernization and Information Technology Services organization reiterating that internal web\nsites refer to the appropriate web site for current security configuration guidance. The Chief\nInformation Officer will assign a project officer and develop a project plan to coordinate\nactivities required to resolve all IRS-wide issues associated with the implementation of database\nsecurity controls in IRS systems, including activities to ensure all IRS databases have individuals\nassigned to specifically perform security and administration responsibilities. Quarterly reviews\nwill be performed to ensure compliance with IRS policy for these responsibilities, with\nnoncompliance reported to IRS executives for appropriate action. The Chief Information Officer\nalso agreed to include standard database security configurations in the list of controls tested\nannually. Also, an implementation plan and procedures will be developed for the IRS\xe2\x80\x99 database\ncompliance assessment tool. Management\xe2\x80\x99s complete response to the draft report is included as\nAppendix VI.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n202-622-8510.\n\n\n\n\n                                                                                                  3\n\x0c                        Standard Database Security Configurations Are Adequate,\n                    Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Standard Database Security Configurations Are Adequate ..........................Page 3\n          Standard Database Security Configurations Have Not Been\n          Effectively Implemented...............................................................................Page 4\n                    Recommendation 1:..........................................................Page 7\n\n                    Recommendations 2 through 4:...........................................Page 8\n\n                    Recommendations 5 through 7:...........................................Page 9\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 11\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 12\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 13\n          Appendix IV \xe2\x80\x93 Scope of Database Assessment............................................Page 14\n          Appendix V \xe2\x80\x93 Details of Database Assessment............................................Page 16\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 21\n\x0c           Standard Database Security Configurations Are Adequate,\n       Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n\n                       Abbreviations\n\nIRS              Internal Revenue Service\nNIST             National Institute of Standards and Technology\nSQL              Structured Query Language\n\x0c                     Standard Database Security Configurations Are Adequate,\n                 Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n\n                                           Background\n\nAll Federal Government systems contain data that require protection under Office of\nManagement and Budget and Congressional mandates. This protection is typically applied in\nlayers around a computer system. The first layer is the perimeter of the system, where network\ncontrols identify and prevent attacks originating from outside an organization. Successive layers\nof controls in the operating systems, applications, and databases are usually needed to protect an\norganization\xe2\x80\x99s data. Consequently, a computer system\xe2\x80\x99s security is dependent on the number\nand strength of the layers of protection. However, because database software stores and manages\nan organization\xe2\x80\x99s data, database security controls are the\nlast and possibly the best line of defense in protecting\n                                                               Database security controls are\nthis critical asset.                                           the last and possibly the best\nFor the Internal Revenue Service (IRS), taxpayer                 line of defense in protecting an\n                                                                       organization\xe2\x80\x99s data.\npersonal and financial information are the most critical\nassets it is charged with safeguarding. Due to the\nsensitivity of this data, the IRS could be a target for malicious users intent on committing\nidentity theft. Attacks on this data could also result in financial losses to the Federal\nGovernment, privacy violations, and breaches of national security. Consequently, the IRS\xe2\x80\x99\ndatabase controls need to be strong.\nThe Mission Assurance and Security Services organization1 is responsible for establishing IRS\ncomputer security policies, assessing the security of computer systems, and tracking compliance\nwith IRS policies and standards. Responsibility for implementing database security policies and\nstandards generally falls to the Modernization and Information Technology Services\norganization. IRS business units also share responsibility for implementing computer security\ncontrols.\nWhile the IRS uses more than 30 different database software products and has more than\n2,100 database installations, 3 databases (Microsoft\xe2\x80\x99s Structured Query Language [SQL] Server,\nIBM\xe2\x80\x99s DB2, and Oracle database systems) are by far the most widely used. Our review focused\non answering the questions of whether the IRS\xe2\x80\x99 standard database security configurations are\nadequate and effectively implemented on these three databases.\n\n\n\n\n1\n In July 2007, the information technology security program within the Mission Assurance and Security Services\norganization was realigned to a new Cybersecurity organization within the Modernization and Information\nTechnology Services organization. The new organization reports to the IRS Chief Information Officer.\n                                                                                                         Page 1\n\x0c                     Standard Database Security Configurations Are Adequate,\n                 Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\nThis review was performed at the Chief Information Officer and Mission Assurance and Security\nServices organization offices in New Carrollton, Maryland, the Enterprise Computing Center2 in\nMemphis, Tennessee, and the IRS campuses3 in Chamblee, Georgia, and Austin, Texas, during\nthe period January through April 2007. The audit was conducted in accordance with\nGovernment Auditing Standards. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n2\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n3\n  The data processing arm of the IRS. The campuses process paper and electronic submissions, correct errors, and\nforward data to the Computing Centers for analysis and posting to taxpayer accounts.\n                                                                                                          Page 2\n\x0c                     Standard Database Security Configurations Are Adequate,\n                 Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n\n                                     Results of Review\n\nStandard Database Security Configurations Are Adequate\nMinimum Security Requirements for Federal Information and Information Systems (Federal\nInformation Processing Standard 200) identifies minimum security requirements in\n17 security-related areas addressing the management, operational, and technical aspects of\nprotecting Federal Government information and information systems. The National Institute of\nStandards and Technology\xe2\x80\x99s (NIST)4 Recommended Security Controls for Federal Information\nSystems (Special Publication 800-53) aids Federal Government agencies in implementing these\nrequirements by providing guidelines for selecting computer security controls. Additionally,\nFederal Government agencies publish requirements for specific controls for use within their\norganizations.\nTo further aid Federal Government agencies in implementing security controls, the NIST\nmaintains a repository of security configuration checklists it and other organizations, such as the\nDefense Information Systems Agency, have developed.5 These checklists provide a series of\ninstructions for securing a particular computer product, such as an operating system or database\nsoftware.\nIn March 2006, the IRS issued standard security configurations for all IRS databases. We\nreviewed these configurations and determined they are aligned to management, operational, and\ntechnical control areas specified in NIST Special Publication 800-53 and adequately address\ndatabase-specific security controls in these areas. We also compared the configurations for\nspecific database software with database security checklists from the NIST repository, published\nby the Defense Information Systems Agency, and determined the IRS configurations adequately\ninclude the controls from these checklists. Therefore, we conclude the IRS has adequate\ndatabase security configurations for its most widely used database software.\nAlthough security configurations are adequate for its most widely used databases, nearly\none-third of the IRS\xe2\x80\x99 moderate-risk applications use database software without a\ndatabase-specific standard security configuration. We plan to perform future audits of these\napplications to determine whether their databases are secured according to IRS standards.\n\n\n4\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines, including\nminimum requirements, for providing adequate information security for all Federal Government agency operations\nand assets.\n5\n  Checklists are developed in accordance with Security Configuration Checklists Program for Information\nTechnology Products (NIST Special Publication 800-70).\n                                                                                                         Page 3\n\x0c                   Standard Database Security Configurations Are Adequate,\n               Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\nStandard Database Security Configurations Have Not Been Effectively\nImplemented\nWhile IRS standard database security configurations are adequate, they have not been effectively\nimplemented. We reviewed 17 databases from 8 applications supporting critical tax\nadministration business processes, such as processing of tax returns, receipt of tax payments, and\ncorrespondence with taxpayers. These databases were tested for compliance with controls\nrequired by IRS standard database security configurations. The tests included basic database\nsecurity controls in the areas of identifying and authenticating users, granting access based on\njob necessity, recording user activity, and updating database software. Appendix IV provides\nadditional details on the scope of our assessment.\nCollectively, the databases we reviewed failed 30 percent of the more than 800 controls tested.\nIncluded in these results are failed tests for controls aimed at preventing high and moderate risk\nvulnerabilities. Most databases failed tests in all four basic security control areas tested. The\nIRS has established a method for rating operating system compliance with IRS requirements and\nassigning a color rating. Using this same methodology, we determined that each database\nreceived the lowest rating possible, RED. Appendix V provides additional details on the results\nof our tests.\nExploitation of the vulnerabilities found could result in the unauthorized access to taxpayer\ninformation and could ultimately result in identity theft or fraud. The systems we reviewed\nprocess transactions for nearly all individual and business taxpayer accounts, including\npaper returns, electronic returns, and electronic payment of taxes. Between October 2006 and\nApril 2007, 2 of the databases we reviewed processed nearly 153 million electronic transactions.\nIf these systems were to be corrupted or disabled, the IRS tax processing system could be\ncrippled, preventing millions of taxpayers from filing their tax returns or paying their taxes.\nThe control weaknesses we found occurred because standard database security configurations\nwere poorly communicated, security roles and responsibilities were not assigned or carried out,\nand enforcement of standard configurations is inadequate. The following sections further discuss\nthese issues.\n\nStandard database security configurations were poorly communicated\nThe standard database security configurations are posted on the Mission Assurance and Security\nServices organization web site and accessible to all IRS employees. During interviews, however,\nwe found many employees with key security responsibilities for the applications we reviewed\nwere unaware of the IRS standard database security configurations. For many, their first notice\nof the existence of the configurations was through these interviews. For example, we found:\n   \xe2\x80\xa2   Employees in two application project offices did not receive notice of the issuance of the\n       configurations. For the applications we reviewed, application project offices are\n\n                                                                                           Page 4\n\x0c                   Standard Database Security Configurations Are Adequate,\n               Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n       responsible for configuring SQL and DB2 databases or managing contractors that\n       manage database configurations.\n   \xe2\x80\xa2   One business unit owner was unaware of the IRS standard database security\n       configurations. Business owners are responsible for overall security of their applications.\nEmployees were unaware of the standard configurations due, in part, to poor communications by\nthe Mission Assurance and Security Services organization with other business units. These\nemployees were not notified that the configurations had been posted to the Mission Assurance\nand Security Services organization\xe2\x80\x99s web site. We also reviewed the web site of the organization\nresponsible for maintaining Oracle database standard configurations, which is part of the\nModernization and Information Technology Services organization. We found the web site did\nnot contain current configurations or a link to the Mission Assurance and Security Services\norganization\xe2\x80\x99s web site. After we raised this issue with IRS management during this review, a\nlink to the correct version of the configurations was posted to the web site.\n\nDatabase security responsibilities were not carried out\nThe IRS has defined roles and responsibilities for administering and securing its databases. In\nparticular:\n   \xe2\x80\xa2   System owners have ultimate responsibility for those systems that support their missions.\n   \xe2\x80\xa2   Database administrators are responsible for maintaining a secure database environment.\n   \xe2\x80\xa2   Security specialists are responsible for ensuring IRS database security requirements, as\n       documented in standard database security configurations, are met. Security specialists\n       coordinate with database administrators and other operational personnel to ensure\n       requirements are met.\nHowever, some key database security responsibilities were not assigned. Specifically, database\nadministrators were not assigned for SQL Server and DB2 databases. Currently, application\ndevelopers manage the configuration of these databases and send implementation instructions to\nserver administrators. In addition, security specialist roles were not assigned for most of the\napplications we reviewed. None of the specialists identified were assigned to the Mission\nAssurance and Security Services organization, where security specialists are typically located.\nSecurity responsibilities were not taken seriously by the managers and employees responsible for\nsome of the applications we tested. For example:\n   \xe2\x80\xa2   The project office for a contractor-managed application was aware of the standard\n       database security configurations issued in March 2006. However, project office\n       personnel informed us that in 2006 they did not require the contractor to implement the\n       configurations due to higher priorities, such as system upgrades. In 2007, a limited\n       budget prevented implementation of the requirements.\n\n                                                                                           Page 5\n\x0c                        Standard Database Security Configurations Are Adequate,\n                    Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n      \xe2\x80\xa2    For another contractor-managed application, we were informed that database software\n           updates could not be installed at any point during the IRS\xe2\x80\x99 tax filing season6 to ensure the\n           application\xe2\x80\x99s services would not be disrupted. However, another tax filing application we\n           reviewed, managed by IRS personnel, was adequately updated. In our compliance\n           ratings, contractor-managed applications scored among the lowest of all applications\n           reviewed.\n      \xe2\x80\xa2    In response to our testing, project office personnel for two applications cited perimeter\n           controls as mitigating factors to the risk that database control vulnerabilities pose.\n           However, it is well established that insiders pose as great or greater risk to computer\n           security than external attackers.\n      \xe2\x80\xa2    Employees in the division responsible for managing Oracle databases were unaware of\n           the issuance of standard database security configurations, despite their involvement in the\n           development of the configurations.\nSome developers also made design choices for their applications that make it difficult to\nmaintain security. For example, the project office for an application that did not have database\nsoftware updates installed informed us the database software could not be kept current because\nthe version needed to be compatible with other commercial software used by the application.\nConsequently, the database software cannot be consistently kept at the most current version.\nTo ensure database security requirements are implemented, the IRS needs to ensure security\nroles and responsibilities are appropriately assigned. In addition, the examples we cite indicate\nthat personnel responsible for securing databases are not being held accountable for failing to\nimplement database security controls. Their approach to security appears to be reactive, waiting\nfor others to point out security actions that need to be taken. However, security requires a\nproactive approach. If such an approach had been taken, managers and employees would have\nsought out the configurations instead of waiting for them to be delivered to their desktops.\n\nTesting to detect noncompliance with standard database security configurations\nwas inadequate\nThe Mission Assurance and Security Services organization is responsible for assessing the\nsecurity of computer systems and tracking compliance with IRS policies and standards. There\nare two primary means by which the Mission Assurance and Security Services organization\naccomplishes these responsibilities:\n\n\n\n\n6\n    The period from January through mid-April when most individual income tax returns are filed.\n                                                                                                   Page 6\n\x0c                      Standard Database Security Configurations Are Adequate,\n                  Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n    \xe2\x80\xa2    Security testing and evaluation (security controls tested as part of an application\xe2\x80\x99s\n         certification7 and accreditation).\n    \xe2\x80\xa2    Routine compliance assessment (software tools used quarterly to assess compliance of\n         systems with security standard configurations).\nOur assessment of these efforts determined that the Mission Assurance and Security Services\norganization has not adequately enforced standard database security configurations, but it is\nmaking progress. Security testing and evaluation results for two of the applications we reviewed,\nboth tested in 2006, determined that, while application controls were tested, database controls\nwere not. The Mission Assurance and Security Services organization did revise its security\ntesting and evaluation methodology for the 2007 testing cycle, which now includes more testing\nof database controls.\nWhile the Mission Assurance and Security Services organization has compliance assessment\ntools in place for computer operating systems, it currently does not have tools to test database\ncontrols. Currently, the IRS scans databases for commonly known user accounts and passwords,\nwhich are included in default installations of database software. We did not identify any of these\naccounts for the databases we reviewed. However, the Mission Assurance and Security Services\norganization currently does not have tools to test compliance with standard database security\nconfigurations. Mission Assurance and Security Services organization management informed us\nthat efforts are underway to implement a testing tool by mid-summer of 2007. There are,\nhowever, no project plans or procedures to aid in managing this effort.\n\nRecommendations\nTo ensure the applications we reviewed comply with IRS database security requirements:\nRecommendation 1: The Chief Information Officer should ensure the database security\ncontrol weaknesses we identified are corrected.\n         Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n         recommendation. Each of the database security control weaknesses that were identified\n         in the specific applications will be included in corrective plans of action and milestones,\n         as required by the Federal Information Security Management Act.8 Priority will be\n         placed on correcting or mitigating any identified high risk weaknesses. As medium or\n         low risk weaknesses are reviewed, the plans will reflect whether the weaknesses are to be\n         corrected or mitigated, or whether the applicable approving official has made a risk\n         acceptance determination. In addition, a project officer will be assigned to coordinate all\n\n\n7\n  An independent technical evaluation for the purpose of accreditation that uses security requirements as the criteria\nfor the evaluation.\n8\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                                                                                                               Page 7\n\x0c                   Standard Database Security Configurations Are Adequate,\n               Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n       activities required to resolve all IRS-wide issues associated with the implementation of\n       database security controls in IRS systems. Several of the database security control\n       weaknesses, such as auditing, will be addressed as part of the IRS computer security\n       material weakness corrective action plans.\nTo improve communication of standard database security configurations:\nRecommendation 2: The Chief Information Officer should re-publicize the standard database\nsecurity configurations and coordinate with IRS organizations to ensure the configurations are\neffectively distributed to necessary personnel or employees are advised to access the Mission\nAssurance and Security Services organization web site where the configurations are posted.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n       recommendation. In July 2007, the information technology security program within the\n       Mission Assurance and Security Services organization was realigned to a new\n       Cybersecurity organization within the Modernization and Information Technology\n       Services organization. This new organization is headed by an Associate Chief\n       Information Officer for Cybersecurity, who will notify other IRS organizations of the\n       database security configuration guidance posted on the Cybersecurity organization web\n       site. This information will also be formally re-publicized using available\n       communications capabilities supporting computer systems governance and oversight.\nRecommendation 3: The Chief Information Officer should ensure the Modernization and\nInformation Technology Services organization\xe2\x80\x99s internal web sites refer to the Mission\nAssurance and Security Services organization web site for current security configurations.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n       recommendation. The IRS will remind the Associate Chief Information Officers in the\n       Modernization and Information Technology Services organization to ensure their internal\n       web sites refer to the Cybersecurity organization web site for current security\n       configuration guidance. In addition, to improve uniformity in current security\n       configuration guidance, the IRS will distribute a memorandum to the Associate Chief\n       Information Officers reiterating the policy to post only documentation on their internal\n       web sites that is owned and maintained by their organizations.\nTo ensure security roles and responsibilities are enforced for IRS databases:\nRecommendation 4: The Chief Information Officer should ensure security and\nadministration responsibilities are properly assigned for all IRS databases.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n       recommendation. The Associate Chief Information Officer for Cybersecurity will assign\n       a project officer to coordinate activities required to resolve all IRS-wide issues associated\n       with the implementation of database security controls in IRS systems. The associated\n       project plan will include the coordination activities required to ensure a full accounting\n\n                                                                                             Page 8\n\x0c                   Standard Database Security Configurations Are Adequate,\n               Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n       and inventory exists for all IRS databases, and that each of the databases has individuals\n       assigned to specifically perform security and administration responsibilities.\n       In conjunction with the IRS\xe2\x80\x99 material weakness for information technology security roles\n       and responsibilities, database security roles and responsibilities have been developed and\n       documented in IRS manuals. At a minimum, periodic checks as part of the annual\n       Federal Information Security Management Act review will be conducted to ensure\n       assignment of security and administrative responsibilities are in compliance with IRS\n       policy.\nRecommendation 5: The Chief Information Officer should investigate alternatives for\nensuring employees are aware of their database security responsibilities, such as establishing an\nelement in employee performance plans specifically for carrying out their database security\nresponsibilities. For whichever alternative is used, managers should ensure employees are held\naccountable for meeting those responsibilities.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n       recommendation. The Associate Chief Information Officer for Cybersecurity will ensure\n       that quarterly compliance reviews by its field staff will specifically review the\n       compliance with database security roles and responsibilities. Formal noncompliance\n       reports will be forwarded to IRS executives so managers can take appropriate actions to\n       address and resolve any employee violations. Individual managers can decide whether\n       additional training or disciplinary actions are the appropriate remedy for those employees\n       who fail to meet assessment standards.\n       An assessment of compliance with assigned security roles and responsibilities, including\n       those for databases, will be included in the IRS\xe2\x80\x99 annual Federal Information Security\n       Management Act assessment.\nTo improve the IRS\xe2\x80\x99 ability to detect noncompliance with database security requirements and\nemphasize the importance of database security controls:\nRecommendation 6: The Chief Information Officer should ensure security testing evaluates\ncompliance with standard database security configurations.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n       recommendation. The Associate Chief Information Officer for Cybersecurity will\n       include appropriate NIST 800-53 controls relating to standard database security\n       configurations in the list of \xe2\x80\x9cvolatile\xe2\x80\x9d controls to be tested annually.\nRecommendation 7: The Chief Information Officer should develop an implementation plan\nfor the organization\xe2\x80\x99s database compliance assessment tool that adequately defines the scope of\nthe databases tested, the requirements to be tested, the timing of tests, and the schedule for\nimplementation. To ensure security controls are adequately considered by application project\noffices, application development databases should be included in the scope of database testing.\n\n                                                                                           Page 9\n\x0c                   Standard Database Security Configurations Are Adequate,\n               Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\nA standard operating procedure should be developed to accompany the tool\xe2\x80\x99s implementation.\nThese procedures should describe the process and responsible organizations for addressing the\noutcome and remediation of the results of the compliance assessment tool.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n       recommendation. The IRS will implement a process for detecting noncompliance with\n       database security requirements. This will include an implementation plan for the\n       organization\xe2\x80\x99s database compliance assessment tool that adequately defines the scope of\n       the databases tested, the requirements to be tested, the timing of tests, and the schedule\n       for implementation. In addition, standard operating procedures will be developed to\n       accompany the tool\xe2\x80\x99s implementation. These procedures will describe the process and\n       responsible organizations for addressing the outcome and remediation of the results of the\n       compliance assessment tool.\n\n\n\n\n                                                                                         Page 10\n\x0c                  Standard Database Security Configurations Are Adequate,\n              Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n                                                                                 Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe objective of our review was to determine whether the IRS\xe2\x80\x99 standard database security\nconfigurations were adequate and effectively implemented. To accomplish this objective, we:\nI.     Determined whether the IRS standard database security configurations were adequate.\n       A. Determined whether current standard database security configurations existed for all\n          database management systems.\n       B. Assessed the adequacy of IRS standard database security configurations. For this\n          analysis, we used the security configurations specified in the Defense Information\n          Systems Agency Database Security checklist as criteria. To identify databases in use\n          by the IRS, we used network scanning software to scan the IRS network, which\n          identified services listening on specified network ports. We scanned 45 networking\n          ports that are commonly used by database systems. Most IRS network segments were\n          scanned, although those from the Office of Chief Counsel and the Criminal\n          Investigation organization were omitted. These organizations manage their own\n          databases and were not included in the scope of this review.\n       C. Assessed the effect of inadequate standard configurations.\nII.    Determined whether the IRS standard database security configurations were effectively\n       implemented.\n       A. Determined whether technical database controls specified in IRS standard database\n          security configurations and the NIST Recommended Security Controls for Federal\n          Information Systems (Special Publication 800-53) were implemented on IRS systems.\n          We assessed controls using a database scanning tool that collected information from\n          IRS databases and analyzed it to identify weaknesses. We selected applications for\n          review using several factors, including being a part of the IRS tax administration\n          process, database technology used (i.e., Oracle, SQL Server, or DB2), importance of\n          the system, and business system owner. Mainframe computers were not included in\n          this analysis because IRS standard database security configurations pertain primarily\n          to computers running UNIX and Microsoft Windows operating systems. We did not\n          assess the implementation of database controls on mainframe computers.\n       B. Assessed the effect of database vulnerabilities on the IRS.\n       C. Determined why the vulnerabilities occurred.\n\n\n                                                                                       Page 11\n\x0c                  Standard Database Security Configurations Are Adequate,\n              Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen R. Mullins, Director\nJoan Raniolo, Acting Audit Manager\nMarybeth Schumann, Audit Manager\nMichael Howard, Lead Auditor\nDan Ardeleano, Senior Auditor\nAllen Gray, Senior Auditor\nAbraham Millado, Senior Auditor\nJacqueline Nguyen, Senior Auditor\nMidori Ohno, Senior Auditor\nLarry Reimer, Senior Auditor\n\n\n\n\n                                                                                     Page 12\n\x0c                  Standard Database Security Configurations Are Adequate,\n              Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Director, Program Oversight OS:CIO:SM:PO\n\n\n\n\n                                                                       Page 13\n\x0c                     Standard Database Security Configurations Are Adequate,\n                 Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n                                                                                             Appendix IV\n\n                      Scope of Database Assessment\n\nThis appendix provides additional details on the scope of the applications and database controls\ntested in this review. During this review, we assessed eight applications for adequacy of the\nimplementation of database security requirements. Table 1 identifies these applications and the\nnumber and location of databases tested.\n                               Table 1: List of Applications Tested\n                                        Database           Enterprise               Austin        Atlanta\n                                        Software        Computing Center            Campus        Campus\n           Application                    Used             \xe2\x80\x93 Memphis\n Automated Lien System                 Oracle                      1                    0              0\n Correspondence Imaging                DB2                         4                    1              1\n System\n Electronic Federal Tax                Oracle                      1                    0              0\n Payment System\n Electronic Management                 Oracle                      1                    0              0\n System\n Individual Taxpayer                   Oracle                      1                    0              0\n Identification Number\n Integrated Submission and             SQL Server                  0                    2              2\n Remittance Processing\n On Line Notice Review                 SQL Server                  0                    1              1\n Tax Exempt/Government                 SQL Server                  1                    0              0\n Entities Reporting and\n Electronic Examination\n System\nSource: Treasury Inspector General for Tax Administration assessment of selected IRS databases, using data\ncollected from these systems.\n\n\n\n\n                                                                                                       Page 14\n\x0c                      Standard Database Security Configurations Are Adequate,\n                  Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n We tested controls against the IRS standard database security configurations. We tested basic\n controls in four areas, which match the NIST Recommended Security Controls for Federal\n Information Systems (Special Publication 800-53) controls described in Table 2.\n                                Table 2: Database Controls Tested\n Category                NIST Special Publication 800-53 Control           Control Number\n Access Controls         Least Privilege: The information system           Access Control \xe2\x80\x93 6\n                         enforces the most restrictive set of rights and\n                         privileges or accesses needed by users (or\n                         processes acting on behalf of users) for the\n                         performance of specified tasks.\n Auditable Events        Auditable Events: The information system          Audit and\n                         generates audit records for the                   Accountability \xe2\x80\x93 2\n                         organization-defined auditable events.\n User Identification     User Identification and Authentication: The       Identification and\n and Authentication      information system uniquely identifies and        Authentication \xe2\x80\x93 2\n                         authenticates users (or processes acting on\n                         behalf of users).\n Database Software       Flaw Remediation: The organization identifies,    System and Information\n Updates                 reports, and corrects information system flaws.   Integrity \xe2\x80\x93 2\nSource: NIST Special Publication 800-53.\n\n\n\n\n                                                                                           Page 15\n\x0c                      Standard Database Security Configurations Are Adequate,\n                  Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n                                                                                                 Appendix V\n\n                      Details of Database Assessment\n\nThis appendix provides additional details of the database security controls tested during this\nreview. As stated in the report, the databases we reviewed failed 30 percent of the more than\n800 controls tested. Table 1 summarizes the test results:\n                            Table 1: Summary of Control Test Results\n                             Database                Percentage of Tests Failed\n                             Oracle                            33 percent\n                             SQL Server                        35 percent\n                             DB2                               24 percent\n                             All databases                     30 percent\n                            Source: Treasury Inspector General for Tax Administration\n                            assessment of selected IRS databases, using data collected\n                            from these systems.\n\nThe IRS has established a method for rating operating system compliance with IRS requirements\nand assigning a color rating. Using this methodology, we determined that each database received\nthe lowest rating possible, RED. Table 2 summarizes our compliance rating results:\n                            Table 2: Summary of Compliance Ratings\n       Database            Compliance              Average High-Risk                       Compliance\n                             Score1            Vulnerabilities per Database2                 Rating\n       Oracle                   71%                             8.5                            RED\n       SQL Server               74%                            10.6                            RED\n       DB2                      80%                             3.0                            RED\n       Overall                  75%                             7.4                            RED\n     Source: Treasury Inspector General for Tax Administration assessment of selected IRS databases, using\n     data collected from these systems, and IRS compliance assessment guides for Windows and UNIX operating\n     systems.\n\n\n\n1\n  The compliance score represents how well the standard database security configurations tested were met. Test\nscores were weighted based on the level of risk associated with the configuration being tested.\n2\n  This average represents how many high-risk vulnerabilities were found, on average, for each of the three types of\ndatabase software tested.\n                                                                                                           Page 16\n\x0c\x0c\x0c\x0c\x0c       Standard Database Security Configurations Are Adequate,\n   Although Much Work Is Needed to Ensure Proper Implementation\n\n\n\n                                                   Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 21\n\x0c    Standard Database Security Configurations Are Adequate,\nAlthough Much Work Is Needed to Ensure Proper Implementation\n\n\n\n\n                                                      Page 22\n\x0c    Standard Database Security Configurations Are Adequate,\nAlthough Much Work Is Needed to Ensure Proper Implementation\n\n\n\n\n                                                      Page 23\n\x0c    Standard Database Security Configurations Are Adequate,\nAlthough Much Work Is Needed to Ensure Proper Implementation\n\n\n\n\n                                                      Page 24\n\x0c    Standard Database Security Configurations Are Adequate,\nAlthough Much Work Is Needed to Ensure Proper Implementation\n\n\n\n\n                                                      Page 25\n\x0c'